13 Replies

Being a smaller company, we don't. We only use group level permissions, so I don't see the need. If someone in accounting need permissions to the account share, then they are in the accounting security group.

This would work but the workload is spread out at our company. Just because your hired for accounting doesn't mean you don't need access to energy efficiency. Our departments generally consist of 2-3 people in the office. Majority of users are off-site lineman that do not have login privileges, just e-mail.

A Spicehead, Chris128, has a tool that he built that will report back your NTFS permissions, http://cjwdev.co.uk/Software/NtfsReports/Info.html. You may be able to maintain the information better with his paid version since you can export it. The free version is good, just lacks some of the reporting tools.

Disclosure: I gain nothing from recommending this tool in any way. He just does good work and is active in the community.

This would work but the workload is spread out at our company. Just because your hired for accounting doesn't mean you don't need access to energy efficiency. Our departments generally consist of 2-3 people in the office. Majority of users are off-site lineman that do not have login privileges, just e-mail.

I am confused. If they have just email and no logon privileges then they can't have permissions to be documented.

Like most, we have it in AD as a group. Based on that is security. But just because they COULD access the drive (security wise) we might have forgotten to map that drive or not mapped it for a reason. To actually show the mappings for each person though, in case I forgot, we put the following line in each of the login scripts in place:

net use > \\<server>\public\MappedDrives\%USERNAME%.txt

With this we get a full list of each mapped drive (even ones that were set outside of the script) so we can make sure when adjusting their script to give/take away access we get the correct drive/mapping.

In a perfect world, your file/folder infrastructure should be implemented in a way that all you need to do is add users to security groups. Those groups should be constructed in a way that accounting should all have access to the same things, supervisors, the same way, etc... You should never, ever, need to set permissions at the file level.

Okay, back to reality. There always seems to be exceptions. I could spend an entire month redoing my whole infrastructure and all of the sudden, someone who does billing needs access to a log that only people in service have access to, which is 3 folders deep. Even after explaining why this becomes a nightmare to manage, you'll get overruled with the powers-that-be.

In other words.....

As the lone IT guy here for 175+ users, I don't keep track of it all. It would be a full time job. We are growing like crazy. It may be different if the company hadn't nearly doubled in the last year and a half. I clean stuff out when I notice it, and try and keep the requests down to a minimum. It's not perfect, but it works.

It can be very hard to keep track of these things. If you are more than a one man show, you would have to make sure each change is recorded every time by whomever makes the changes. I started to keep a list of all of our permissions, but with the amount that they change it got to be to much.

I would also recommend using our change auditing tool called NetWrix File Server Change Reporter to document all file permission changes. It will give a complete history of what changes were made to permissions on folders (such as who was granted access etc).

2

This topic has been locked by an administrator and is no longer open for commenting.